Working in the public sector requires a sense of socialization not always seen in private sector industries. City residents are often dependent on government officials for in-person services, engagement and acts of leadership, while systems, schedules and work policies are designed for staff to serve these in-person needs.
Now, an outbreak of the new coronavirus (COVID-19) has sent those expectations and working policies out the window. For some cities, a sense of significant cybersecurity may have gone with it.
Recently updated data from the U.S. Bureau of Labor Statistics found only 15.2% of local government employees regularly worked remotely from 2017-2018. Today, cities are seeing an unprecedented spike in that number as workers move to their home offices to abide with shelter-in-place orders and social distancing mandates. And as employee devices are more dispersed, cities become increasingly vulnerable to cyberattacks.
The challenge of protecting systems amid the pandemic is further complicated by a lack of internal IT staffing or resources from the jump. Many cities, especially those small- and mid-sized, have long struggled to build a secure arsenal of digital resources and staff due to limited budgets and resources
While it may be difficult for city IT professionals to enforce security protocols with a dispersed workforce, employees must prioritize vigilance against the kinds of hacks that have crippled cities like Atlanta, Baltimore and New Orleans. If just one employee opens a phishing email, the results could be costly, according to cybersecurity experts.
Distributed devices create more vulnerabilities
Even before the current pandemic, the likelihood and scale of cyberattacks on state and local governments had been intensifying.
The economic impacts of these attacks, especially ransomware attacks, can be severe. After New Orleans was hit with a ransomeware attack in December 2019, the city spent more than $7.2 million in recovery in just one month, with insurance only expected to cover about $3 million of those total costs. Officials said it could take until fall 2020 to fully restore its computer systems.
The debate of if cities should or should not pay ransom to hackers has been divisive. During the U.S. Conference of Mayors' Annual Meeting in July 2019, more than 200 mayors signed a resolution to not pay ransom in the event of a cyberattack. Yet a March report from Deloitte said some cities may find paying hackers to restore their systems as the "only logical solution" when compared to the costs of self-recovery.
With most city staffs now teleworking, governments are even more vulnerable to these costs and risks due to the sheer number of remote devices in use, the lack of a unified network and the need to protect all systems the same time, said Michael Lake, president and CEO of the nonprofit Leading Cities.
"Every single laptop or home internet network or whatnot that is going to be utilized during this period of time is just one more additional point of vulnerability for any city," Lake told Smart Cities Dive, noting it's difficult to quickly build out the necessary security infrastructure that may had been neglected up until now. Cities may also find it hard to justify a significant investment in cybersecurity right now — especially if they don't currently have staff with expertise in that area.
"There is no chief information secuity officer for a town of 25,000. It just doesn't exist."
"There is no chief information security officer for a town of 25,000. It just doesn't exist," Thad Eidman, COO at security platform provider Acreto, told Smart Cities Dive. "They have probably a director of IT or a vice president of IT and a couple of network people ... but that's about it. They don't have a staff of 200 cybersecurity professionals running all kinds of products."
While cities must be careful of their own systems' vulnerabilities, they must also be wary of vulnerabilities that could be present in the systems of third-party vendors or contractors. Those vendors could handle all manner of payments, data and other vital information, so it's crucial for cities to understand how they protect themselves, according to cybersecurity experts.
However, as private companies and big vendors are more likely have their own IT and cybersecurity staff, it can be tough for a city to police and implement security protocols.
"It could be an internal user putting a thumb drive in, but then the vendor's system gets rolled, in part because you have this ambiguous responsibility and ownership," Mike Duffy, founder and CEO of digital service platform CityBase told Smart Cities Dive in an interview last year. "You don't have unfettered access either way."
Some cities have distributed virtual private networks (VPNs) to employees to enhance the security of their remote work, but Eidman warned those could be vulnerable to hacking. VPNs extend a private network across a public one to allow employees to access data and other information that may only be available at city hall, but they come with their own risks.
"If you go to the airport and you try to board a flight, the first thing that happens is you have to go to the checkpoint where they check your license and your ticket," Eidman said. "That's really identity [like a VPN]. But that is not security. The next thing that happens is you have to put your bag through a scan, where they look for all the bad stuff. That's not what a VPN does. A VPN does not look at the content of the message."
Other security systems can be complex or take a long time to set up, said Nathan Pawl, president of network security firm Blacksands, and the associated costs might make cities question whether to proceed at all. Simpler solutions that take a matter of hours or days to set up are much more ideal, he said.
"Traditional technologies out there, for every single new connection, is a two to three-month process at minimum [to enable a security system] with a full project IT team," Pawl told Smart Cities Dive. "You can imagine you may have hundreds or thousands of these individuals who are trying to get connected in a secure way. It's just not feasible."
But not all hope is lost. Many cloud-based services and products have proven beneficial for cities going virtual due to their built-in security measures, Andrew D'Ottavio, director of customer success at Accela, told Smart Cities Dive. Accela recently unveiled a suite of tools to help governments maintain "normal" operations through online resident services, virtual inspections and help with permitting.
"Just access to information or data within the product, because it's a platform, is very controlled, so we can get very granular within the product as well, not just the technology and the hosting security requirements," D'Ottavio said. "It's got multiple layers."
Meanwhile, Duffy said Amazon Web Services (AWS), which has a global security infrastructure and data centers that allow professionals to monitor traffic and any suspicious activity, should be a go-to for cities.
"Your security defenses are only as good as the number of attacks that you observe," Duffy said. "When you have your own infrastructure and have co-located your own data center, you're only seeing your own attacks. When you're using some of the resources of an Amazon, for example, together we're seeing globally all the attempts that are happening across their infrastructure, so we have more perfect information in the sense that it's coming faster to us."
There is evidence that communicating the importance of cybersecurity has not been top of mind in some cities. During the 2018 Smart Cities New York conference, Atlanta Mayor Keisha Lance Bottoms said the March 2018 cyberattack on the city came as a "surprise" to city staff and residents, as cybersecurity was initially "not a topic of conversation."
Some cities have since learned from these mistakes and were proactive in telling employees how to stay safe online during the pandemic, especially when handling city data on municipal equipment. For instance, the City of Mesa, AZ provided employees with tips on security "beyond the office," with hints on creating strong passwords, using active antivirus software and using secure Wi-Fi networks.
Clear communication in this area is key, though it can be hard to incentivize employees to change behavior, Lake said.
"Frankly, the reality is there's nothing that will teach you faster than being a victim yourself," Lake said, noting the "next best thing" is to be vigilant in communication and in informing employees when they take actions that are unsafe.
In cities that haven't yet practiced or allowed remote work, these can be especially challenging times, D'Ottavio warned. He said the workforce will need to be educated on all the necessary protocols, be set up with new equipment and have supervisors ensure meetings carry on as normal, albeit over video.
"Frankly, the reality is there's nothing that will teach you faster than being a victim yourself."
President and CEO, Leading Cities
Showing employees the economic losses a city government must endure when it's hacked could be another way to adhere strong cybersecurity practices, Eidman said.
"I think a lot of times, what we see is that some directive or instructions or orders or whatever will come down from on top that say, 'Hey, don't do this, don't do this, these are bad things,'" Eidman said. "I think there's less time being spent on, why is this important? What happens if we have a breach and how does that impact not only the city but the trust with our community?"
To keep up with all of our coverage on how the new coronavirus is impacting U.S. cities, visit our daily tracker.